Abstract

At Crypto 2015, Blondeau et al. showed a known-key analysis on the full texttt{PRESENT} lightweight block cipher. Based on some of the best differential distinguishers, they introduced a meet in the middle (MitM) layer to pre-add the differential distinguisher, which extends the number of attacked rounds on texttt{PRESENT} from 26 rounds to full rounds without reducing differential probability. %They first started from some of the best differential distinguishers, and then introduced a meet-in-the-middle (MitM) layer to extend the number of attacked rounds without differential probability, which finally gave a known-key distinguisher on the full texttt{PRESENT} for both 80- and 128-bit secret key versions. %In their attack, the MitM layer was the key step to extend the attacked rounds, but their method only dealt with the ciphers with a power of 2-bit internal state. In this paper, we generalize their method and present a distinguisher on a kind of permutations called texttt{PRESENT}-like permutations. This generic distinguisher is divided into two phases. The first phase is a truncated differential distinguisher with strong bias, which describes the unbalance of the output collision on some fixed bits, given the fixed input in some bits, and we take advantage of the strong relation between truncated differential probability and capacity of multidimensional linear approximation to derive the best differential distinguishers. The second phase is the meet-in-the-middle layer, which is pre-added to the truncated differential to propagate the differential properties as far as possible. Different with Blondeau et al.'s work, we extend the MitM layers on a 64-bit internal state to states with any size, and we also give a concrete bound to estimate the attacked rounds of the MitM layer. As an illustration, we apply our technique to all versions of texttt{SPONGENT} permutations. In the truncated differential phase, as a result we reach one, two or three rounds more than the results shown by the designers. In the meet-in-the-middle phase, we get up to 11 rounds to pre-add to the differential distinguishers. Totally, we improve the previous distinguishers on all versions of texttt{SPONGENT} permutations by up to 13 rounds.

Funded by

National Basic Research Program of China(973 Program)

National Natural Science Foundation of China(61602276)

National Natural Science Foundation of China(61133013)

"source" : null , "contract" : "2013CB834205"

National Natural Science Foundation of China(61303258)

National Natural Science Foundation of China(61672516)

National Natural Science Foundation of China(61572293)

Strategic Priority Research Program of the Chinese Academy of Sciences(XDA06010701)

Program for New Century Excellent Talents in University of China(NCET-13-0350)

Update

Abstract

English

Chinese

Acknowledgment

Acknowledgments

This work was supported by National Basic Research Program of China (973 Program) (Grant No. 2013CB834205), National Natural Science Foundation of China (Grant Nos. 61602276, 61672516, 61303258, 61133013, 61572293), Strategic Priority Research Program of the Chinese Academy of Sciences (Grant No. XDA06010701), and Program for New Century Excellent Talents in University of China (Grant No. NCET-13-0350). The authors are grateful to Lei WANG for inspiring this work and many helpful suggestions. The authors would also like to thank Jérémy JEAN for providing TikZ code of texttt{PRESENT} block cipher cite{Jean15}.